Problem solveGet help with specific problems with your technologies, process and projects.

AD security: Delegating administration

Delegation of administration in Active Directory is a necessary way to give non-administrators the ability to create and control users and groups. This article by Microsoft MVP Derek Melber details ways to securely delegate administrative rights in Active Directory.

We investigated securing your domain controllers in Part 1 of this series on Active Directory security. Within that article, we exposed some major security vulnerabilities that may exist on your domain controllers and recommended some Group Policy settings to help mitigate the risk. For Part II of this article series, we investigate the delegated administration of the objects that reside within the database. The concept of delegating administration to Active Directory can be complex, but with proper design and planning, the delegation can be logical, secure and manageable.

What is delegation of administration?

Delegation of administration is an elaborate way of saying that permissions to AD objects are altered and configured to allow certain users administrative access. Active Directory objects, like files and folders, have Access Control Lists (ACLs), which are configured to restrict or allow access to the resource.

The process of delegating administration for the control of certain Active Directory objects is a new concept within Windows 2000/2003 Active Directory, which was not available in Windows NT. A common, yet important, example of delegation of administration would be when members of the help desk are given permission to reset passwords for domain user accounts.

Not all Active Directory objects make good candidates for delegating administration, and it is important to understand which ones can be controlled to design the placement of the objects within the Active Directory structure.

Here are the Active Directory objects and the common delegation tasks for each one:

User accounts -- User accounts are the most common objects to be controlled by delegation. Almost any task that is completed for a user account within Active Directory can be delegated. This includes their creation, modifications of every user property, resetting the passwords and account deletions.

Group accounts -- The groups within Active Directory include Universal, Global and Domain Local. The most common delegated task over these objects is controlling the membership within the group. Creation and deletion of group accounts is also commonly delegated.

Computer accounts -- A user joining his or her computer to the domain typically creates computer accounts. Active Directory allows every user to add 10 computers to the domain. Although there are plenty of tasks that need to be completed to secure computers, none of them are done with the computer account within Active Directory. Therefore, it is not common to delegate administration to these objects.

Circumstances for performing the delegation

Microsoft has built in a wizard that helps deploy permissions for some of the most common scenarios for delegation. The Delegation of Control Wizard, which is available at each level within the Active Directory structure, allows granular control over who can perform which duties to objects within Active Directory. Typically, the Wizard is used to control permissions over objects at the organization unit level.

To start the Wizard, right click on the appropriate organizational unit. You will see a Delegate Control menu option, which is where you will start the Wizard. The Wizard first asks you which group you want to delegate permissions to. This is key, in that the group does not need to reside within the organizational unit that is being delegated. Next, the Wizard provides a preset list of common delegations to choose from, including:

Resetting user account passwords

Creating and deleting user accounts

Creating and deleting group accounts

Modifying group membership

If the list of common delegation tasks is not enough, you can always customize delegations down to the object attribute level. This would include the highly granular control over user, group and computer objects that are located in Active Directory.

Summary

Active Directory provides an excellent means for administrators to delegate certain tasks to junior administrators and other reliable company employees. The concept of delegation works for both user and group controls. Delegation can be set down to the object properly level, even as granular as giving some users the ability to reset the password for other user accounts within the directory. Care must be taken when providing this delegation, as it can jeopardize the security of Active Directory.

About the author: Derek Melber, MCSE, MVP, and CISM, is the director of compliance solutions for DesktopStandard Corp. He has written the only books on auditing Windows security available at The Institute of Internal Auditors' bookstore and also wrote the Group Policy Guide for Microsoft Press -- the only book Microsoft has written on Group Policy. You can contact Melber at derekm@desktopstandard.com.

Start the conversation

0 comments

Register

I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

Please check the box if you want to proceed.

I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.